Analysis
-
max time kernel
119s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 04:21
General
-
Target
cba8754ae5785da5d3da05cd5fb3d52b77729c64ddb86cd0c79831b8ad75a28c.exe
-
Size
908KB
-
MD5
b4a1a136d4f08945c12f170963337a25
-
SHA1
0635813b35f5a9698d36ce74afacfdf79bba2a69
-
SHA256
cba8754ae5785da5d3da05cd5fb3d52b77729c64ddb86cd0c79831b8ad75a28c
-
SHA512
ab207b9fbcd4ebe47aeee598fc9ca8871b6ce3ebc28c31e065577a25cda65ceeb9bc3931204f26a7561c1b3c570852edf01a4fa96eb5c8d0bc835eb6bd46460c
-
SSDEEP
12288:QqjqRBa80gi+TCUQpd6KA26mY6nltHnhm9FXRJ:QwqN0gi+TCUQvHEFXH
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Imminent family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cba8754ae5785da5d3da05cd5fb3d52b77729c64ddb86cd0c79831b8ad75a28c.exe"C:\Users\Admin\AppData\Local\Temp\cba8754ae5785da5d3da05cd5fb3d52b77729c64ddb86cd0c79831b8ad75a28c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\model\print.exe"C:\Users\Admin\AppData\Roaming\model\print.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
908KB
MD500de75462ef6c796ab9e1ca61f6c3f7f
SHA1519015401626f5e4ed4cec040cecf70ef03ff472
SHA256b4ecabc4a8c1459d0e24a1b302ce06974c7f9ad7ee1d267755b17b3a31eeab23
SHA512f329cb011570aeebbbcbbf86f5db5b7e370b373ed52a55f038e81b784c60f2f55bc4a65e1954e40fcd68d9792b3a0db0f9b393423dcdd81abc1d902d48cf2267
-
Filesize
7.7MB
-
Filesize
888KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
352KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
344KB
-
Filesize
696KB
-
Filesize
160KB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
96KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
7.7MB